Past, Present, Future of Anonymous Publishing Infrastructure

Fabio Pietrosantie-privacy 2012

naif@globaleaks.orgMilano 21-06-2012

Thursday, June 21, 2012

Tor Hidden Services

• Anonymity for the server

• eqt5g4fuenphqinx.onion

• End-to-end encryption

Thursday, June 21, 2012

Why use Hidden Service?

• Avoid retaliation for what you publish

• Securely serve content

• Protect against seizures/location

Thursday, June 21, 2012

Tor2web

• Exchange clients anonymity for usability

• Connects Tor Hidden Services with the surface web

• You can setup an anonymous site and impact the whole net

• site:tor2web.org 52k link on google

Thursday, June 21, 2012

Tor2web 1.0

Thursday, June 21, 2012

Tor2web 1.0 issues

• Exposed to abuse complaints

• Misuse of HS to spread of illicit content

• No disclaimer

• No reporting system

• High latency -> Little usability

• The leads to server takedown

Thursday, June 21, 2012

Tor2web 1.0 bodycount

• In 2010 there where at one point 3 tor2web nodes

• In April 2011, there was only one server left

• In June 2011, the last of the 3 original tor2web nodes went offline

Thursday, June 21, 2012

Tor2web 2.0

Thursday, June 21, 2012

Tor2web 2.0 improvements

• Tell the audience the content is not hosted

• Abuse complaint reporting system

• Dynamic URL rewriting

Thursday, June 21, 2012

Tor2web 2.0 issues

• Usability aspect not dealt with (white-page effect)

• Not easily deployed

• Crappy code

• Trust issue with sharing of *.tor2web.org SSL private key

Thursday, June 21, 2012

Tor2web 3.0

• Reimplementation funded by RFA F2C and managed by Hermes Assocation wihtin GlobaLeaks Project

• Distribute responsibility

• Rewrite the code

•Get more Tor2web node!

Thursday, June 21, 2012

Tor2web mode

• A tor2web node does not need anonymity

• To improve performance reduce the number of hops

• An experimental implementation will be in tor 0.2.3.x

Thursday, June 21, 2012

Multi-domaindistribution

• To run a tor2web node currently we need to entrust you with the wildcard SSL cert

• You should be able to run tor2web on xxxx.your_domain.org

• There can be a list of all supported tor2web domains

Thursday, June 21, 2012

Unique and Temporary URL

• Separate the linker to content from the server

• I request xxxx.tor2web.org

• Just for me get’s generated yyyyy.tor2web.org (or also yyyyy.something.org)

• If someone else visits at a latter time yyyyy.tor2web.org it is expired

• This also avoids hot-linking

Thursday, June 21, 2012

Legal Help

• Terms of Services

• Any lawyers willing to help?

Thursday, June 21, 2012

Let’s talk.

Tor2web Cataclysm Edition: https://github.com/globaleaks/Tor2web-3.0

tor2web 2.0: https://github.com/globaleaks/tor2web-2.0

tor2web wiki: http://wiki.tor2web.org/index.php/Main_Page

Thursday, June 21, 2012

Past, Present, Future of Anonymous Publishing Infrastructure

Fabio Pietrosantie-privacy 2012

naif@globaleaks.orgMilano 21-06-2012

Thursday, June 21, 2012